The name Charlie Miller will be familiar to anybody who follows Mac security. Currently employed as a researcher by Accuvant, Miller has over the last several years discovered several vulnerabilities on Apple’s platforms, including an iPhone flaw that could be exploited via SMS, which Apple quickly moved to patch.

Miller’s most recent discovery exploits a gap in the way JavaScript code runs in newer versions of iOS. Specifically, in order to gain a speed boost in JavaScript processing, the Nitro engine that debuted in iOS 4.3 foregoes the requirement for signed code (that is, code that certifies that it does exactly—and only—what it says it does). Though Apple apparently placed other security restrictions in place to prevent an exploit, Miller discovered a hole that allowed him to load arbitrary code and run it.

To demonstrate this vulnerability, Miller submitted an app, InstaStock, to the App Store. While the application, a stock tracker, functioned as expected, it could also take advantage of the security flaw to make a connection to Miller’s server, allowing him access to the device’s hardware functions and data. Apple approved the application in September, but it wasn’t until this week that Miller showed off a video of himself exploiting the vulnerability. In the demo, Miller used the exploit to make the phone vibrate and to access its Address Book data.

Miller plans to demonstrate the exact nature of the vulnerability at next week’s SysCan security conference in Taiwan. Apple did not immediately respond to a request for comment about when a patch could be expected. Earlier this month, though, the company promised an upcoming iOS update that would fix battery issues; it’s possible that this update, expected within the next few weeks, may also patch this security vulnerability.

To comment on this article and other Macworld content, visit our Facebook page or our Twitter feed.